Thursday, December 26, 2013

Fine Grained Password Policies

Purpose of Fine Grained Password Policy (FGPP)

The primary purpose of fine-grained policies is that they can help the
administrator apply stricter policies to privileged accounts that deal assets
critical to the organizations compared to non-privileged accounts that may not
deal with assets critical to the organization.
Since Windows Server 2008, Fine Grained Password Policies (FGPP) have been
made it possible that allow u different users in the domain to have different
policies.

What are FGPP ?

Fine-grained policies apply only to user objects and global security groups.
Normally the password policy is set for all user at the domain level. This
domain level password policy can be viewed by:
1. firing up 'gpedit.msc'
2. select Default Domain Policy [Domain name] -> Computer Configuration
-> Policies -> Windows Settings -> Security Settings -> Password
Policy
Once you select the above path the Password Policy (applicable to the
domain) will appear in the right hand panel of the GPO Window.

Requirements for FGPP

FGPP was introduced in Windows Server 2008 so in order to use this feature
the Domain Controller should be upgraded to Windows Server 2008. i.e. the
functional level that supports fine grained policies is the Windows Server
2008. The domain function level to the following:
1 - Start - >Administrative tools -> Active Directory Users and
Computers
2 - Right clik on the domain server in the left hand panel.
3 - Select prorperties
You will be presented with the properties of the domain including Function
level of the domain controller, make sure the Domain Functional Level is
Windows Server 2008.

How to create FGPP's

The Fine-grained policies are stored in the Password Settings Container
(PSC) under the System container of the domain.
1 - You will need to fire up Active Directory Services Interface (ADSI) on
the domain controller of your domain and connect to your domain.
2 - Once in the domain navigate down to CN=System. Once CN=System has
expanded look for CN=Password Setting Container (the PSC). We need to create a
new Object in the PSC. Right click CN=PSC and select New.
3 - From the list of objects select 'msDS-Password Settings' object (most
probably the only option in the menu), then click 'Next'.
4- The next window mainly asks for a value, this is where you provide a name
for the policy. For the sake of this tutorial we will name is 'Grained policy',
but it can be anything that makes it disctinct and easy to locate.
5 - Select the precedence you want to apply for this particular object. The
precedence will be needed if two policies or more apply to the same object. The
lower precedence value wins. The value 10 is acceptable.
6 - The object creation process is wizard based and you can fill in the
values according to information given below (source blogs.technet.com), The
Recommended Values and Format for each of the attributes are provided by the
author:

Now we get into crazy land. MinimumPasswordAge, MaximumPasswordAge,
LockoutObservationWindow, and LockoutDuration must all be entered in I8 format.
To quote from TechNet:
When you use ADSI Edit to create Password Settings
objects (PSOs), enter the values of the four time-related PSO attributes
(msDS-MaximumPasswordAge, msDS-MinimumPasswordAge,
msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.
We will use the d:hh:mm:ss format

7- After entering the value for the last attribute msDS-LockoutDuration we
can close the wizard by clicking on 'Finish' and then manually assigning the
'Grained Policy' to a user group by right clicking on the new object and click
'Properties'. Scroll down the 'Attribute Editor' to look for
'msDS-PSOAppliesTo' attribute and click 'Edit'.

8- Click on 'Add Windows Account' and you will be presented with a window
similar to the one used to assigned permissions on folders, to select a user or
group. Enter the name of the user or group to whom you wish to assign the
granual password policy. Once selected the SID of the user or group will appear
in the 'value' section of 'msDS-PSOAppliesTo' attribute.
The Fine Grained Password Policy is now in place.

About the Author: Saquib Farooq Malik, is a senior
Information Security Consultant at ITButler e-Services(www.itbutler.com.au) .
Saquib Specializes in Vulnerability Assessment and Penetration Testing,
implementations of ISO 27001 in different corporate environments in the Middle
East.

He is a CISSP, an ITILv3 Foundation certified professional,
ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension
Certified Engineer.